Skip to content

build(deps): Bump dependabot/fetch-metadata from 2 to 3 in the gh-actions group#4

Merged
github-actions[bot] merged 1 commit into
mainfrom
dependabot/github_actions/gh-actions-c22e3e74e6
May 14, 2026
Merged

build(deps): Bump dependabot/fetch-metadata from 2 to 3 in the gh-actions group#4
github-actions[bot] merged 1 commit into
mainfrom
dependabot/github_actions/gh-actions-c22e3e74e6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the gh-actions group with 1 update: dependabot/fetch-metadata.

Updates dependabot/fetch-metadata from 2 to 3

Release notes

Sourced from dependabot/fetch-metadata's releases.

v3.0.0

The breaking change is requiring Node.js version v24 as the Actions runtime.

What's Changed

New Contributors

Full Changelog: dependabot/fetch-metadata@v2...v3.0.0

v2.5.0

What's Changed

... (truncated)

Commits
  • 25dd0e3 v3.1.0 (#692)
  • e073f50 Merge pull request #705 from dependabot/dependabot/npm_and_yarn/hono-4.12.14
  • 0670e16 build(deps-dev): bump hono from 4.12.12 to 4.12.14
  • 7a7fe10 Merge pull request #702 from dependabot/dependabot/npm_and_yarn/dependencies-...
  • 5168191 Updating dist build
  • 23882e1 build(deps): bump @​actions/github in the dependencies group
  • 1072469 Merge pull request #701 from dependabot/dependabot/github_actions/actions/cre...
  • 43f8a00 build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
  • b4d904a Merge pull request #703 from dependabot/dependabot/npm_and_yarn/globals-17.5.0
  • c8046bb build(deps-dev): bump globals from 17.4.0 to 17.5.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the gh-actions group with 1 update: [dependabot/fetch-metadata](https://github.com/dependabot/fetch-metadata).


Updates `dependabot/fetch-metadata` from 2 to 3
- [Release notes](https://github.com/dependabot/fetch-metadata/releases)
- [Commits](dependabot/fetch-metadata@v2...v3)

---
updated-dependencies:
- dependency-name: dependabot/fetch-metadata
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: gh-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 14, 2026
@github-actions
github-actions Bot merged commit 2cee525 into main May 14, 2026
2 checks passed
@github-actions
github-actions Bot deleted the dependabot/github_actions/gh-actions-c22e3e74e6 branch May 14, 2026 02:51
wolpert added a commit that referenced this pull request May 16, 2026
- ceremony: default UV to REQUIRED so WebAuthn4J enforces flagUV (#2)
- ceremony: refuse the non-strict WebAuthnManager when attestation conveyance
  is not NONE; force operators to wire a strict manager explicitly (#3)
- jwt(spring): fail-fast on HS256 secrets shorter than 32 bytes; remove the
  silent expand() helper that masked weak keys (#4)
- jwt(micronaut): fail-fast on blank or short HS256 secrets; remove the
  zero-pad and random-on-blank fallbacks (#5)
- persistence: make signCount updates atomic against concurrent racing
  assertions so clone detection cannot be silently defeated — JDBI adds
  AND sign_count < :sc, DynamoDB adds a conditional UpdateItem (#6)
- starters: gate LoggingEmailSender / LoggingSmsSender behind dev-mode so
  magic-link tokens and OTP codes don't silently leak to production logs (#7)
- magic-link: replace the unbounded ConcurrentHashMap of consumed JTIs with
  a TTL-bounded Caffeine cache; fix the Javadoc to match reality (#8)
- magic-link: bind verification email to the user via UserLookup#emailFor
  and reject mismatches; admin service maps the new EmailMismatch result to
  a 400 (#9)
- persistence(dynamodb): server-enforce single-use for backup-code consume
  and OTP consume/incrementAttempts via ConditionExpression (#10)
- persistence(dynamodb): server-enforce challenge expiry in takeOnce
  via ConditionExpression on expiresAt instead of post-filtering in Java (#11)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
wolpert added a commit that referenced this pull request May 16, 2026
#1 — JdbiOtpRepository.incrementAttempts now unconditional; OtpService.verify uses >=
#2 — BackupCodeRepository.consume returns boolean; impls atomic; race-loser → NoMatch
#3 — OtpRepository.consume returns boolean; JDBI adds consumed=FALSE guard
#4 — PkAuthJwtValidator rejects kid-less tokens when keyset has any kid-bearing key
#5 — new ConsumedJtiStore SPI; in-memory Caffeine default; single-instance WARN
#6 — startAuthentication/startRegistration always emit non-null [] credential lists
#7 — new CeremonyRateLimiter SPI; default Caffeine impl; RateLimited variant; 429
#8 — JDBI/DynamoDB/InMemory repos wrap backend errors as PkAuthPersistenceException
#18 — new DuplicateCredentialException extends PkAuthPersistenceException (sealed)
#28 — OtpRepository.incrementAttempts returns OptionalInt; empty → NoActiveOtp

Blocked: none

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants